≡ Menu

access control

There are two ways to allow / restrict system login to specific user groups only. The simplest method is to use a PAM module called pam_listfile.so. Another option is to use login access control table. Locking down system login access is very important task if you need a secure system.

The system administrator is free to choose how individual service-providing applications will authenticate users. Many new admins not aware of PAM and related services. In this tip you are going to use authentication (auth) group, which authenticate a user and set up user credentials.

Deny or allow access to groups using PAM

pam_listfile is a PAM module which provides a way to deny or allow access to services based on an arbitrary file. Service can be any one of the following
=> su
=> sudo
=> ftp
=> Mail Service (MTA/POP3/IMAP)
=> SSH
=> Samba
=> Crond
=> Squid and many others

How do I setup pam_listfile PAM module for group based login?

Let us say you would like to allow login to only members of wheel (root user) and webdev groups.

Step # 1: Create /etc/login.group.allowed file

/etc/login.group.allowed filename contains one line per group listed. If the group name is found, then login is allowed; else authorization request denied:
# vi /etc/login.group.allowed
Add group names:
root
wheel
webdev

Save and close the file.

Step # 2: Allow group based login to all services

Open /etc/pam.d/system-auth file if you are using Redhat / RHEL / Fedora / CentOS Linux. If you are using Debian / Ubuntu Linux use /etc/pam.d/common-auth file:
# vi /etc/pam.d/system-auth
You must add the following config directive at the top of the file:
auth required pam_listfile.so onerr=fail item=group sense=allow file=/etc/login.group.allowed
Where,

  • auth required pam_listfile.so : Pam module name required for allowing group based login
  • onerr=fail : What to do if something weird happens like being unable to open the file or busy disk I/O. In our case login is denied till weird problem is sorted out.
  • item=group : Check for group name
  • sense=allow : The authorization request to succeed if group name found in /etc/login.group.allowed file
  • file=/etc/login.group.allowed : Filename contains one line per group name listed. If the group name is found, then if sense=allow, PAM_SUCCESS is returned, causing the authorization request to succeed.

Caution: Please note that by adding above line you are forcing this configuraion on all login services including ssh, telnet, mail, su, sudo and all PAM aware services. If you need login restrictions for specific service modify specific service located in /etc/pam.d/service-name file.

Save and close the file. This will only allow users that belong to the root, wheel and webdev group to login to the system. You can apply above technique to:

  • User names
  • Shell
  • Tty names
  • Rhost / Ruser (remote login host / user id)

The config can be reversed to denied login to specific group name by modify the configuration file. This is left as exercise to our reader (hint type man pam_listfile).

=> Related PAM config FAQ : Linux PAM configuration that allows or deny user login via the sshd server

Open SSH Logo

The idea is very simple you want to limit who can use sshd based on a list of users. The text file contains a list of users that may not log in (or allowed to log in) using the SSH server. This is used for improving security.

PAM (Pluggable authentication modules) allows you to define flexible mechanism for authenticating users. My previous post demonstrated how to deny or allow users using sshd configuration option. However, if you want to block or deny a large number of users, use PAM configuration.

A note for new sys admins

  1. Backup all data and PAM configuration files before any modification :)
  2. Please be careful to perform the configuration option. Wrong configuration can lock down all login access including root access.
  3. Read this Linux-PAM configuration file syntax guide
  4. Now continue reading below for pam_listfile.so configration...

Use of pam_listfile.so module

This PAM module authenticates users based on the contents of a specified file. For example, if username exists in a file /etc/sshd/ssh.allow, sshd will grant login access.

How do I configure pam_listfile.so module to deny access?

You want to block a user, if user-name exists in a file /etc/sshd/sshd.deny file.

Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh

Append following line:
auth required pam_listfile.so item=user sense=deny file=/etc/sshd/sshd.deny onerr=succeed

Save and close the file

Now add all usernames to /etc/sshd/sshd.deny file. Now a user is denied to login via sshd if they are listed in this file:
# vi /etc/sshd/sshd.deny

Append username per line:
user1
user2
...

Restart sshd service:
# /etc/init.d/sshd restart

Understanding the config directives:

  • auth required pam_listfile.so : Name of module required while authenticating users.
  • item=user : Check the username
  • sense=deny : Deny user if existing in specified file
  • file=/etc/sshd/sshd.deny : Name of file which contains the list of user (one user per line)
  • onerr=succeed : If an error is encountered PAM will return status PAM_SUCCESS.

How do I configure pam_listfile.so module to allow access?

You want to ALLOW a user to use ssh, if user-name exists in a file /etc/sshd/sshd.allow file.
Open /etc/pam.d/ssh (or /etc/pam.d/sshd for RedHat and friends)
# vi /etc/pam.d/ssh

Append following line:
auth required pam_listfile.so item=user sense=allow file=/etc/sshd/sshd.allow onerr=fail

Save and close the file.

Now add all usernames to /etc/sshd/sshd.allow file. Now a user is allowed to login via sshd if they are listed in this file.
# vi /etc/sshd/sshd.allow

Append username per line:
tony
om
rocky

Restart sshd service (optional):
# /etc/init.d/sshd restart

Now if paul try to login using ssh he will get an error:
Permission denied (publickey,keyboard-interactive).

Following log entry recorded into my log file (/var/log/secure or /var/log/auth.log file)
tail -f /var/log/auth.log

Output:

Jul 30 23:07:40 p5www2 sshd[12611]: PAM-listfile: Refused user paul for service ssh
Jul 30 23:07:42 p5www2 sshd[12606]: error: PAM: Authentication failure for paul from 125.12.xx.xx

Understanding the config directives:

  • auth required pam_listfile.so : Name of module required while authenticating users.
  • item=user : Check or specify the username
  • sense=allow : Allow user if existing in specified file
  • file=/etc/sshd/sshd.allow : Name of file which contains the list of user (one user per line)
  • onerr=fail : If filename does not exists or username formatting is not coreect it will not allow to login.

Further reading:

  1. Linux PAM guide for the system administrators'
  2. Sun Solaris PAM site has excellent information for both sys admins and developers
  3. Download the three Linux-PAM Guides, for system administrators, module developers, and application developers.

Iptables Restricting Access By Time Of The Day

Recently I was asked to control access to couple of services based upon day and time. For example ftp server should be only available from Monday to Friday between 9 AM to 6 PM only. It is true that many services and daemons have in built facility for day and time based access control. [click to continue…]